When a user performs an explicit logout, Identity Server clears the persistent authentication cookie at the browser if the logout request goes through the browser.
If SOAP communication is used between the service provider and Identity Server, then Identity Server does not clear the cookie automatically. The cookie can only be cleared by sending a request to a page on the server that issued it. If the page is available on Identity Server, the clearCookieAuth.jsp file clears the page. You must customize the service provider’s logout page to run Identity Server’s clearCookieAuth.jsp page.
The clearCookieAuth.jsp file clears it. The URL for this page is https://idpserver.example.com/nidp/clearCookieAuth.jsp. Any request to that URL will clear the authentication cookie.
With this class in use, the user cannot logout of the system because re-accessing any protected page will re-authenticate the user using the user information stored in the browser store. There are at least two ways to invalidate an outstanding browser stored authentication cookie. The first is to change the user’s password and the second is to clear the stored cookie from the browser. Only way to invalidate the cookie is to change the encryption key used. The cookie that is created can only be cleared by a request from the server which created it.
The following configurations are specific to the Access Manager service provider. For a third-party service provider, the user must customize the logout pages.
In a federation scenario, add the following to the logoutSuccess.jsp file of the service provider. You can redirect the logout page to this page, or have an <iframe> that references the page. You can customize Access Gateway logoutSuccess.jsp file to provide login links or instructions to your user.
<tr> <td> <iframe src="https://idp.labs.com:8443/nidp/jsp/clearCookieAuth.jsp" width="0" height="0"> </td> </tr>
where idp.labs.com is the URL of Identity Server.
For information about how to modify a file, see Modifying Configurations.